Heretofore, the user authentication of a service offered by a service provider on the Internet (WWW server) has been individually performed by the service provider, so that a user has been required to make a direct contract with each of the service providers so as to receive the authentication from them. As a result, there has been a need for the user to store and periodically update the authentication information of each service provider, which has often caused inconveniences for the user (For example, Japanese Laid-Open Patent Publication No. 2003-44484).
Thus, a system referred to as the single sign-on system has been devised in which a user is required only to make a single log-in operation so as to be accessible to a plurality of service providers. The single sign-on system eliminates the need for the user to store and update a plurality of IDs and passwords, thereby reducing the user's load. The authentication which is available in common also reduces the load of the system managers or the application developers. In such conventional system, however, there have been following problems in the aspects of the system building and security.
1. Service providers are required to make their systems synchronized with a directory service and a predetermined single sign-on authentication processing procedure, etc., adopted by a single sign-on authentication facility provider, and thereby to build and operate their systems under this requirement, resulting in an additional cost.
2. When a service provider contracts with a plurality of network service providers and offers the service for the user of the plurality of network service providers, the service provider is required to build and operate a system corresponding to the single sign-on authentication system provided by each network service provider.
3. After the single sign-on authentication (the user authentication) by means of a user's ID/password, the information (hereinafter referred to as the session ID) sent from a user authentication server, for uniquely specifying the authorized user, needs to be stored in a terminal used by the user. As a result, when the session ID is stolen and illegally used in the other terminal, the service provider is unable to discriminate whether the access is made by the authorized user or not.
4. Since all services can be received with a session ID, if the session ID is stolen, the unauthorized user is able to access to all of the service providers from the other terminal.